ALEXA SKILLS BUSINESS ASSOCIATE AGREEMENT
THIS ALEXA SKILLS BUSINESS ASSOCIATE AGREEMENT (this “Alexa BAA”) between the Developer (as defined in the Amazon Developer Services Agreement), when acting as a Covered Entity or Business Associate under HIPAA (as defined below) (“you”), and Amazon.com Services LLC (“Amazon”), is an addendum to the Amazon Developer Services Agreement by and between you and Amazon.
Definitions. A “Health Skill” is an Alexa Skill that (a) you identify as a “Health Skill” via means specified by Amazon; (b) transmits PHI to Amazon or causes Amazon to create, receive, maintain, or transmit PHI; (c) Amazon has approved and made available to Alexa customers; and (d) meets all requirements for Health Skills, including applicable Program Policies. “HIPAA” means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended from time to time. “PHI” means protected health information as defined in 45 C.F.R. 160.103 of HIPAA that is created, received, maintained, or transmitted from you or on your behalf by Amazon in connection with your Health Skills and in Amazon’s capacity as your Business Associate. The “Privacy Rule” means the regulations at 45 C.F.R. Part 160 and Subparts A and E of Part 164. The “Security Rule” means the regulations at 45 C.F.R. Part 160 and Subparts A and C of Part 164. The following capitalized terms have the meaning set forth in HIPAA: Breach, Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Disclosure (and Disclose), Individual, Limited Data Set, Protected Health Information, Required by Law, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Unless defined in this Alexa BAA, all other capitalized terms have the meanings set forth in the Amazon Developer Services Agreement.
2.1. Applicability to Health Skills. This Alexa BAA applies only to your Health Skills and PHI created, received, maintained, or transmitted by the Alexa Service in connection with end-user interactions processed by your Health Skills. This Alexa BAA does not apply to (a) any Alexa Skills that are not Health Skills, (b) any interactions end users have with Alexa that are not processed by your Health Skills, (c) any information created, received, maintained, or transmitted by end users or end-user devices before it is received by Amazon, or (d) any other services offered or operated by Amazon or its affiliates. This Alexa BAA does not apply to information provided by your Health Skill that an end user directs Amazon to Use or Disclose outside of your Health Skill (for example, if an end user directs Amazon to create a calendar appointment or a reminder using information provided by your Health Skill).
- Permitted and Required Uses and Disclosures.
3.1. Service Offerings. Amazon may Use and Disclose PHI for you and on your behalf to (a) enable the operation of your Health Skill, (b) enable end users to access your Health Skill and information made available through your Health Skill, (c) provide the Alexa Service and related services to you and end users, and (d) provide other services as specified in the Agreement and this Alexa BAA.
3.2. Administration, Management, and Legal Responsibilities of Amazon. Amazon may Use and Disclose PHI as necessary for the proper management and administration of Amazon and its affiliates, including to provide and improve the Alexa Service and related services (for example, by using machine learning or similar techniques to improve speech recognition, natural language understanding, and text-to-speech capabilities) and to carry out the legal responsibilities of Amazon and its affiliates. Any Disclosures by Amazon to third parties under this section will be made only if Required by Law or if Amazon obtains reasonable assurances from the recipient of the PHI to: (a) hold the PHI confidentially and Use and Disclose the PHI only as Required by Law or for the purpose for which it was Disclosed to the recipient; and (b) notify Amazon of any instances of which it is aware in which the confidentiality of the PHI has been Breached.
3.3. De-identification, Limited Data Sets & Data Aggregation. Amazon may de-identify PHI and Use and Disclose the de-identified information for any purpose (unless prohibited by HIPAA). Amazon may Use and Disclose PHI to create Limited Data Sets and to provide Data Aggregation services.
- Amazon’s Obligations.
4.1. Limit on Uses and Disclosures. Amazon will Use and Disclose PHI only as permitted by this Alexa BAA or as Required by Law. Amazon will not Use or Disclose PHI in a manner that would violate HIPAA if done by a Covered Entity, unless permitted under HIPAA for a Business Associate.
4.2. Designated Record Sets; Access & Amendment. Amazon does not support Designated Record Sets for Health Skills, you will not use any PHI maintained by Amazon as a Designated Record Set, and no data you make available to Amazon will be considered a Designated Record Set. If in the future Amazon offers functionality expressly for the purpose of enabling you to create a Designated Record Set for your Health Skill, then (a) only data submitted in accordance with instructions Amazon provides for creating a Designated Record Set will be considered part of the Designated Record Set; (b) Amazon will make PHI in a Designated Record Set available to you so that you can comply with 45 C.F.R. § 164.524 of the Privacy Rule; and (c) Amazon will incorporate your amendments to the PHI in a Designated Record Set so you can comply with 45 C.F.R. § 164.526 of the Privacy Rule.
4.3. Accounting of Disclosures. Amazon will make available to you the information required to provide an accounting of Disclosures of which Amazon is aware in accordance with 45 C.F.R. § 164.528 of the Privacy Rule, as you may reasonably request.
4.4. Safeguards. Amazon will use reasonable and appropriate safeguards, as determined by Amazon, to prevent Use and Disclosure of the PHI other than as provided for by this Alexa BAA, as required by applicable provisions of the Security Rule.
4.5.1. Reporting of Impermissible Uses and Disclosures. Amazon will report to you any Use or Disclosure of PHI not provided for by this Alexa BAA of which Amazon becomes aware. Amazon may make these notifications in general and aggregated reports.
4.5.2. Reporting of Security Incidents. Amazon will report to you any Security Incidents involving PHI of which Amazon becomes aware in which there is a successful unauthorized (a) access, Use, Disclosure, modification, or destruction of PHI or (b) interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of PHI. Amazon may make these notifications in general and aggregated reports. Notice is hereby deemed provided, and no further notice needs to be provided, for unsuccessful Security Incidents, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised.
4.5.3. Frequency of reporting. Amazon will provide reports related to unauthorized Uses and Disclosures and successful Security Incidents described in this Alexa BAA on no less than a quarterly basis.
4.5.4. Reporting of Breaches. Amazon will report to you any Breach of your Unsecured Protected Health Information Amazon discovers to the extent required by 45 C.F.R. § 164.410. Amazon will make this report without unreasonable delay, and in no case later than 30 calendar days after discovery of the Breach, subject to any enforcement delay as provided in HIPAA.
4.6. Subcontractors. Amazon will require any Subcontractors that create, receive, maintain, or transmit PHI on its behalf to agree to restrictions and conditions at least as stringent as those found in this Alexa BAA and agree to comply with the applicable provisions of the Security Rule.
4.7. Covered Functions. If Amazon undertakes a Covered Entity obligation covered by the Privacy Rule, Amazon will comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of that obligation.
4.8. Internal Records. Amazon will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“HHS”), solely in response to an HHS request, for purposes of determining your compliance with HIPAA. Nothing in this section waives any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.
- Your Obligations.
5.1. Operation of your Health Skill. You are responsible for the operation of your Health Skill and for any information made available to Amazon customers through your Health Skill, including for maintaining the security of such information and for restricting access to such information to authorized persons (e.g., by implementing appropriate authentication mechanisms within your Health Skill).
5.2. Appropriate Safeguards. You are responsible for implementing appropriate privacy and security safeguards for your Health Skill and for information created, received, maintained, or transmitted in connection with your Health Skill to protect PHI in compliance with HIPAA and this Alexa BAA. You will not create, receive, maintain, or transmit Protected Health Information to Amazon other than through your Health Skills.
5.3. Permissions; Notices of Privacy Practices;Restrictions on Disclosures. You represent, warrant, and covenant that you have obtained all necessary authorizations, consents, releases, and permissions and have provided, and will continue to provide, appropriate notice to Individuals, including, as applicable, in your notice of privacy practices, to permit Amazon to make available your Health Skills, and to create, receive, maintain, and transmit PHI as described in this Alexa BAA, including by enabling customers to access your Health Skills on Alexa. You will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Amazon to violate this Alexa BAA or any applicable law.
5.4. Compliance with HIPAA. You will not request or cause Amazon to make a Use or Disclosure of PHI or take other actions in a manner that does not comply with HIPAA, any other law, or this Alexa BAA.
- Term and Termination.
6.1. Term. The term of this Alexa BAA will commence on the Alexa BAA Effective Date and will remain in effect until the earlier of (a) the termination of the Agreement, or (b) the termination of this Alexa BAA by either party as set forth below.
6.2. Termination. Either party may terminate this Alexa BAA for any reason upon 90 days prior written notice to the other party.
6.3. Effect of Termination. Upon termination of this Alexa BAA, Amazon, if feasible, will return or destroy all PHI that Amazon still maintains or, if return or destruction is not feasible, extend the protections of this Alexa BAA to the PHI and limit further Uses and Disclosures to those purposes that make the return or destruction of the PHI infeasible. Because certain aspects of the Alexa Service rely on maintaining records of end users’ interactions with Alexa (e.g., to enable end users of the Alexa Service to review their interaction history), the Parties acknowledge that it is not feasible for Amazon to destroy or return PHI upon termination of this Alexa BAA.
Data Use Agreement. If Amazon receives or creates a Limited Data Set based on your PHI, Amazon agrees to: (a) Use and Disclose the Limited Data Sets only for research, public health, or health care operations; (b) not Use or Disclose the Limited Data Set in a manner that would violate the Privacy Rule if done by the Covered Entity; (c) permit only authorized personnel to Use or receive the Limited Data Sets; (d) not Use or Disclose the Limited Data Set other than as permitted by this section or as Required by Law; (e) use appropriate safeguards to prevent Use or Disclosure of the Limited Data Set other than as provided in this section; (f) report to you any Use or Disclosure of the Limited Data Set not provided in this section of which it becomes aware; (g) require any agents to whom it provides the Limited Data Set to agree to the same restrictions and conditions that apply in this section; and (h) not identify the Individuals in the Limited Data Set or use the Limited Data Set to contact those Individuals. You will not provide Amazon any Limited Data Set without Amazon’s prior written approval.
No Agency Relationship. As set forth in the Agreement, the parties are independent contractors and nothing creates a partnership, joint venture, agency, or similar relationship.
Nondisclosure. Only to the extent that we make this Alexa BAA publically accessible online, the terms and existence of this Alexa BAA are not considered confidential information for purposes of your confidentiality obligations under the Agreement.
No Third Party Beneficiaries. This Alexa BAA is not intended to create any rights or benefits in any person or entity other than the parties or their successors or assigns.
Entire Agreement; Conflict. Except as modified by the terms of this Alexa BAA, all terms and conditions of the Agreement will remain in full force and effect and apply to the terms described in this Alexa BAA. To the extent there is any conflict between the terms of the Agreement and the terms of this Alexa BAA, the terms of this Alexa BAA will control. Following any termination or expiration of this Alexa BAA, any provision which, by its nature or express terms should survive, will survive the termination or expiration. This Alexa BAA, together with the Agreement as amended by this Alexa BAA: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to this particular subject matter.
Modification. Changes to the terms of this Alexa BAA will not apply to you until 7 days after we notify you (e.g., by sending you an email or by providing you with a notification in your Amazon Developer account) that we have changed the Alexa Skills Business Associate Agreement. However, if any change relates to terms for new features or functionality and you choose to use those features or functionality, then you are immediately subject to those terms. Any modifications of this Alexa BAA or Amazon’s policies related to the protection of PHI, will be consistent with HIPAA and will apply to all PHI that Amazon has created, received, maintained, or transmitted in the past or will do so in the future.
[Remainder of Page Intentionally Left Blank]